[Dshield] Yaha question

Doug doug at dwhite.ws
Wed Nov 27 21:14:13 GMT 2002


According to the Symantec site the W32.Yaha.F at mm virus is
not being sent from who it appears to be.  An examination of
the header info will reveal where it is actually coming
from. Most of the ones I have trapped seem to come from
Asian origins.

It gets into a system by posing as returned mail and that
will by-pass the auth requirements.  I am seeing a number of
these from the wild, some spoofing my email address, and
some spoofing others.

Symantec has a free scan tool that will search for and
remove any infection, and of course, everyone is urged to
keep an updated A/V program to scan their email as it comes
in.  Do not open unfamiliar attachments.


================================
This address is filtered through the open relay database at
http://www.ordb.org
and is virus scanned by ANTIVIR
http://www.dwhite.ws
mailto:doug at dwhite.ws
================================
  ----- Original Message -----
  From: KeithTarrant at spamcop.net
  To: list at dshield.org
  Sent: Wednesday, November 27, 2002 2:26 PM
  Subject: Re: [Dshield] Yaha question


  Anthony -

  Can you post a couple of the emails your system allegedly
sent -- including the full headers.

  Maybe your email address is being spoofed as the sender.

  As for the virus sending itself to people not in your
address book, check the technical description of the virus.
There are several places this virus goes to to get email
addresses, not just the address book.

  Another thing you can try to look for the virus is to use
a web based virus scanner (free).  It is a simple way to
double check that your regular virus scanner hasn't missed
anything due to corruption or an oversight on the makers
part.

  http://housecall.trendmicro.com/housecall/start_corp.asp
  http://security1.norton.com/

  To fix your computer.  Disable any automatic mail pickup.
Make sure you have good passwords on any shared disks.  Use
read only shares in preference to read-write shares.  Clean
your computer, apply all critical updates using Windows
Update (don't apply updates for languages you don't use or
hardware you don't have).  If you don't have certain of
those critical Windows fixes you can get infected before
your virus monitor can prevent it.

  You might also want to re-install your AV and firewall
software and re-update it.

  - Keith
    ----- Original Message -----
    From: Anthony Bego
    To: list at dshield.org
    Sent: Tuesday, November 26, 2002 10:17 PM
    Subject: [Dshield] Yaha question


    Hi Grant,



    I noticed your Yaha fix on the web and I wanted to ask
you for a little help.  Main problem is I cannot tell if I
have the virus or not.  When I receive an infected mail with
the   W32.Yaha.F at mm Norton recognizes it and says it put it
in quarantine.  But I keep getting mails about 5-10 per day
saying I have this infection.  I downloaded the fix/scan
tool from Norton fixyaha.com and it says it's clean.  My exe
files seem to work fine but people keep telling me I am
sending then this virus?  I downloaded the latest office
patches from Mircoshaft and that stopped it for a few days
but it has started up again. Infected mails over and over.
I even get return mails form people whom I don't have their
email address.  I don't understand how I could have sent
them a virus when I didn't have their email address in my
address book?



    I do not have a mail server just the normal outlook .pst
file.  But was wondering if you knew if I had the virus in
my PC somewhere and possibly  it was undetectable by Norton?
And is there anyway to clean it?




http://www.dshield.org/pipermail/list/2002-September/000904.
html





    Anyway sorry to bother you just wondering if you knew
anything that could help me.



    Anthony Bego

    ------------------------------

    Harton Reed Limited

    Phone:    (852) 3106-3034

    Main:     (852) 3106-3030

    Fax:      (852) 3106-3031

    Email:  abego at hartonreed.com

    http://www.hartonreed.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20021127/e592309b/attachment.htm


More information about the list mailing list